Hide Forgot
Description of problem: We are moving qpid to only listen on localhost in Satellite because of BZ1252573. So we add 'localhost' as an alternate DNS name on our certificate. Candlepin fails with this error: Caused by: org.apache.qpid.AMQException: Cannot connect to broker: SSL hostname verification failed. Expected : localhost Found in cert : centos7-bats.example.com It's due to qpid's java library in 0.30 only verifying the CN: https://github.com/apache/qpid/blob/0.30/qpid/java/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L58-L62 It's fixed in later versions it seems: https://github.com/apache/qpid-java/blob/trunk/common/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java#L141-L150 Version-Release number of selected component (if applicable): candlepin-0.9.54.4-1.el7.noarch How reproducible: Always Steps to Reproduce: 1. Create a certificate with alternate hostname and use it for qpid 2. Have candlepin configured to use alternate hostname Actual results: SSL verification fails Expected results: SSL verification succeeds
Fixed in version 0.9.54.6-1
Why the depends on bugs of this bug are still in Modified state and this bug on QE. May I verify this bug unless those 2 bugs get verified ?
There's nothing to verify here, it's a dev task to upgrade the version of the qpid library that ships with candlepin. The dependent bug needs that first.
Verified ! This bug has nothing to test from QE perspective as its not Customer facing. So moving to verified state.
Feel free to reopen if required.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501
Hi, This doesn't seem to be working for me, on this version of candlepin: [root@qpid-localhost tomcat]# rpm -q candlepin candlepin-0.9.54.6-1.el7.noarch Tomcat still shows this error: Caused by: java.lang.RuntimeException: javax.jms.JMSException: Error creating connection: SSL hostname verification failed. Expected : localhost Found in cert : qpid-localhost.example.com The certificate shows alt names: X509v3 Subject Alternative Name: DNS:qpid-localhost.example.com, DNS:localhost Full certificate: [root@qpid-localhost tomcat]# openssl s_client -connect localhost:5671 | openssl x509 -noout -text depth=1 C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = qpid-localhost.example.com verify return:1 depth=0 C = US, ST = North Carolina, O = pulp, OU = SomeOrgUnit, CN = qpid-localhost.example.com verify return:1 140409204340640:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1259:SSL alert number 42 140409204340640:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: Certificate: Data: Version: 3 (0x2) Serial Number: 12201245780118169912 (0xa95388645d2d6938) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=qpid-localhost.example.com Validity Not Before: Oct 6 14:00:59 2016 GMT Not After : Oct 8 14:00:59 2036 GMT Subject: C=US, ST=North Carolina, O=pulp, OU=SomeOrgUnit, CN=qpid-localhost.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c8:2d:bb:51:c0:3f:af:77:69:5f:cd:3f:19:9b: ef:7a:06:fb:3d:d9:df:4c:72:69:d5:1d:54:1a:d0: 48:fc:72:fe:96:ba:ee:57:f8:97:03:d7:39:d3:4b: a8:e7:f4:92:10:64:73:48:b2:aa:19:ce:0f:df:75: c3:d9:01:3c:28:a9:a3:cf:7c:81:c1:bd:3b:e3:69: 5c:6b:b1:b4:a3:e6:f5:b3:86:77:7b:eb:d4:5e:84: 1e:0a:9b:eb:e1:8f:7b:47:38:98:16:ad:15:f8:45: f5:28:35:ba:52:ed:e6:06:03:84:ee:f4:ec:38:a4: e0:dc:ca:1e:c1:30:f4:b3:8c:7b:c6:3d:c3:5e:d8: 55:6e:69:5e:0b:e5:b3:b0:cc:49:c5:e1:ad:84:0c: a7:98:5f:de:90:11:41:88:86:be:cd:ae:bc:25:15: e1:d4:2d:7e:a6:18:09:50:a0:31:24:49:80:51:e0: f9:92:c4:65:9a:c6:d1:fe:57:ca:bf:bc:92:cb:89: 08:3b:e6:26:07:34:db:f9:d8:87:9d:13:b5:aa:e3: 34:71:c1:d2:00:73:1c:cb:27:ab:e9:02:4e:8e:0b: ec:a6:84:8d:f6:b3:6a:39:12:cb:c1:fb:ef:98:d3: 96:1a:9e:c4:e1:12:89:df:42:6b:18:da:0e:7d:c5: 0d:c7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Netscape Cert Type: SSL Server Netscape Comment: Katello SSL Tool Generated Certificate X509v3 Subject Key Identifier: 18:71:4B:69:4B:E8:F1:BB:48:A6:E1:51:D7:72:34:52:AF:37:D0:9C X509v3 Authority Key Identifier: keyid:88:39:0F:2A:B8:B8:B0:6E:9B:66:1D:3C:A9:59:CA:0D:15:CB:9A:54 DirName:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=qpid-localhost.example.com serial:A9:53:88:64:5D:2D:69:2F X509v3 Subject Alternative Name: DNS:qpid-localhost.example.com, DNS:localhost Signature Algorithm: sha256WithRSAEncryption 2a:53:88:c4:89:12:00:50:84:1f:78:c5:b8:45:d7:41:3c:8d: 57:b5:22:60:0d:86:a7:49:50:76:c1:46:01:9c:5e:06:ea:50: 7f:10:46:21:af:2c:3f:e9:01:80:38:66:e3:6b:3e:d6:93:33: 77:ea:88:d5:0b:2e:b4:18:8a:7c:ce:14:c4:cf:0a:b2:59:5b: 3b:46:08:98:65:74:4b:af:dc:75:13:c5:b4:29:f3:de:b5:3d: 5c:3c:e5:75:55:4b:c6:3b:49:d8:ce:4c:b9:bd:1a:51:12:0d: 11:ad:d8:09:06:f7:5f:4f:dc:86:42:97:0b:b3:01:31:4c:b3: a6:ff:4b:7f:0f:8f:8a:50:84:b9:8b:32:07:ef:9e:cd:1e:c9: fc:0c:30:6f:29:95:ed:15:ee:77:77:41:fa:e4:f7:eb:9c:41: 0b:ab:75:28:d3:25:bf:b1:1f:b5:f0:0d:a9:d8:5a:9c:ac:9f: 96:63:c3:e7:d2:75:c4:d4:6d:8d:2f:73:ce:f6:4c:cb:82:78: 03:57:9c:4a:df:74:b0:91:d7:34:03:dc:c1:ed:44:a4:89:b2: c2:d9:8a:83:11:29:ed:e6:8e:a8:02:d1:80:b5:67:c6:c0:23: 8d:f6:08:5d:de:31:4d:86:ee:ce:58:ef:f5:a3:82:27:ba:8b: 31:9e:71:20
Stephen, if you are still seeing this issue then please re-open.
Fixed in version 0.9.54.10-1
Seems like this should already be closed out. I have candlepin-0.9.54.21-1.el7.noarch on my 6.2.10 install. That sound good to you Barnaby?
Craig, I would agree
Per the comments above, I am closing this out as CURRENT RELEASE.